@PreFilter and @PostFilter in Spring Security

By Arvind Rai, December 28, 2013

@PreFilter and @PostFilter is a strong feature in spring security to filter collection or arrays on the basis of authorization. This can be achieved using expression-based access control in spring security. @PreFilter filters the collection or arrays before executing method. @PostFilter filters the returned collection or arrays after executing the method. Spring security provides a built-in object named as filterObject at which @PreFilter and @PostFilter performs filtering task. @PreFilter and @PostFilter can be used on service layer with @PreAuthorize and @PostAuthorize. Use interface to declare the filter operation.
IBookService.java

filterObject is built-in object on which filter operation is performed. In this declaration, for the first method getBooks() we have used @PreAuthorize and @PostFilter. Before executing method, user is authorized on the basis of role and then after executing, the returned object is filtered on the basis of owner. Second method addBook() is only using @PreFilter on the basis of owner. Find the implementation class of IBookService.
BookService.java